{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2025-23217","title":"Title"},{"category":"description","text":"mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmweb 11.1.1 and below, a malicious client can use mitmweb's proxy server (bound to `*:8080` by default) to access mitmweb's internal API (bound to `127.0.0.1:8081` by default). In other words, while the cannot access the API directly, they can access the API through the proxy. An attacker may be able to escalate this SSRF-style access to remote code execution. The mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. This vulnerability has been fixed in mitmproxy 11.1.2 and above. Users are advised to upgrade. There are no known workarounds for this vulnerability.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2025-23217","url":"https://www.suse.com/security/cve/CVE-2025-23217"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1236890 for CVE-2025-23217","url":"https://bugzilla.suse.com/1236890"}],"title":"SUSE CVE CVE-2025-23217","tracking":{"current_release_date":"2025-03-15T03:53:37Z","generator":{"date":"2025-02-08T03:47:08Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2025-23217","initial_release_date":"2025-02-08T03:47:08Z","revision_history":[{"date":"2025-02-08T03:47:08Z","number":"2","summary":"Current version"},{"date":"2025-02-11T03:47:53Z","number":"3","summary":"Current version"},{"date":"2025-02-14T03:49:46Z","number":"4","summary":"Current version"},{"date":"2025-02-15T16:56:19Z","number":"5","summary":"Current version"},{"date":"2025-03-15T03:53:37Z","number":"6","summary":"Current version"}],"status":"interim","version":"6"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"python312-mitmproxy-11.1.2-1.1","product":{"name":"python312-mitmproxy-11.1.2-1.1","product_id":"python312-mitmproxy-11.1.2-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/python312-mitmproxy@11.1.2-1.1"}}},{"category":"product_version","name":"python313-mitmproxy-11.1.2-1.1","product":{"name":"python313-mitmproxy-11.1.2-1.1","product_id":"python313-mitmproxy-11.1.2-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/python313-mitmproxy@11.1.2-1.1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"python312-mitmproxy-11.1.2-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python312-mitmproxy-11.1.2-1.1"},"product_reference":"python312-mitmproxy-11.1.2-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python313-mitmproxy-11.1.2-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python313-mitmproxy-11.1.2-1.1"},"product_reference":"python313-mitmproxy-11.1.2-1.1","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2025-23217","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-23217"}],"notes":[{"category":"general","text":"mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmweb 11.1.1 and below, a malicious client can use mitmweb's proxy server (bound to `*:8080` by default) to access mitmweb's internal API (bound to `127.0.0.1:8081` by default). In other words, while the cannot access the API directly, they can access the API through the proxy. An attacker may be able to escalate this SSRF-style access to remote code execution. The mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. This vulnerability has been fixed in mitmproxy 11.1.2 and above. Users are advised to upgrade. There are no known workarounds for this vulnerability.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Tumbleweed:python312-mitmproxy-11.1.2-1.1","openSUSE Tumbleweed:python313-mitmproxy-11.1.2-1.1"]},"references":[{"category":"external","summary":"CVE-2025-23217","url":"https://www.suse.com/security/cve/CVE-2025-23217"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1236890 for CVE-2025-23217","url":"https://bugzilla.suse.com/1236890"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Tumbleweed:python312-mitmproxy-11.1.2-1.1","openSUSE Tumbleweed:python313-mitmproxy-11.1.2-1.1"]}],"threats":[{"category":"impact","date":"2025-02-06T19:00:59Z","details":"important"}],"title":"CVE-2025-23217"}]}